[ipfire-3.x.git] / pam_ldap / patches / pam_ldap-184-nsrole.patch

Add a role check, like the existing group membership check.
Submitted to upstream #382.

diff -up pam_ldap-184/pam_ldap.5 pam_ldap-184/pam_ldap.5
--- pam_ldap-184/pam_ldap.5	2008-11-17 13:36:03.000000000 -0500
+++ pam_ldap-184/pam_ldap.5	2008-11-17 13:37:35.000000000 -0500
@@ -333,6 +333,10 @@ group specified in the
 .B pam_groupdn
 option.
 .TP
+.B pam_nsrole <role>
+Specifies a value which the user's entry's "nsRole" attribute must match
+for logon authorization to succeed.
+.TP
 .B pam_min_uid <uid>
 If specified, a user must have a POSIX user ID of at least
 .B uid
diff -up pam_ldap-184/pam_ldap.c pam_ldap-184/pam_ldap.c
--- pam_ldap-184/pam_ldap.c	2008-11-17 13:35:52.000000000 -0500
+++ pam_ldap-184/pam_ldap.c	2008-11-17 13:35:56.000000000 -0500
@@ -499,6 +499,11 @@ _release_config (pam_ldap_config_t ** pc
       free (c->groupdn);
     }
 
+  if (c->nsrole != NULL)
+    {
+      free (c->nsrole);
+    }
+
   if (c->filter != NULL)
     {
       free (c->filter);
@@ -639,6 +644,7 @@ _alloc_config (pam_ldap_config_t ** pres
   result->userattr = NULL;
   result->groupattr = NULL;
   result->groupdn = NULL;
+  result->nsrole = NULL;
   result->getpolicy = 0;
   result->checkhostattr = 0;
   result->checkserviceattr = 0;
@@ -1043,6 +1049,10 @@ _read_config (const char *configFile, pa
 	{
 	  CHECKPOINTER (result->groupattr = strdup (v));
 	}
+      else if (!strcasecmp (k, "pam_nsrole"))
+	{
+	  CHECKPOINTER (result->nsrole = strdup (v));
+	}
       else if (!strcasecmp (k, "pam_min_uid"))
 	{
 	  result->min_uid = (uid_t) atol (v);
@@ -4136,6 +4146,23 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
 	rc = success;
     }
 
+  /* check the user's entry's nsRole attribute for the required value */
+  if (rc == success && session->conf->nsrole != NULL)
+    {
+      rc = ldap_compare_s (session->ld,
+			   session->info->userdn,
+			   "nsRole", session->conf->nsrole);
+      if (rc != LDAP_COMPARE_TRUE)
+	{
+	  snprintf (buf, sizeof buf, "You must have the %s role to login.",
+		    session->conf->nsrole);
+	  _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
+	  return PAM_PERM_DENIED;
+	}
+      else
+	rc = success;
+    }
+
   if (rc == success && session->conf->checkserviceattr)
     {
       rc = _service_ok (pamh, session);
--- pam_ldap-184/pam_ldap.h	2008-11-17 13:39:49.000000000 -0500
+++ pam_ldap-184/pam_ldap.h	2008-11-17 13:39:50.000000000 -0500
@@ -95,6 +95,8 @@
     char *groupdn;
     /* group membership attribute; defaults to uniquemember */
     char *groupattr;
+    /* role name; optional, for access authorization */
+    char *nsrole;
     /* LDAP protocol version */
     int version;
     /* search timelimit */
Commit	Line	Data
09a030e4 SS	1	Add a role check, like the existing group membership check.
	2	Submitted to upstream #382.
	3
	4	diff -up pam_ldap-184/pam_ldap.5 pam_ldap-184/pam_ldap.5
	5	--- pam_ldap-184/pam_ldap.5 2008-11-17 13:36:03.000000000 -0500
	6	+++ pam_ldap-184/pam_ldap.5 2008-11-17 13:37:35.000000000 -0500
	7	@@ -333,6 +333,10 @@ group specified in the
	8	.B pam_groupdn
	9	option.
	10	.TP
	11	+.B pam_nsrole <role>
	12	+Specifies a value which the user's entry's "nsRole" attribute must match
	13	+for logon authorization to succeed.
	14	+.TP
	15	.B pam_min_uid <uid>
	16	If specified, a user must have a POSIX user ID of at least
	17	.B uid
	18	diff -up pam_ldap-184/pam_ldap.c pam_ldap-184/pam_ldap.c
	19	--- pam_ldap-184/pam_ldap.c 2008-11-17 13:35:52.000000000 -0500
	20	+++ pam_ldap-184/pam_ldap.c 2008-11-17 13:35:56.000000000 -0500
	21	@@ -499,6 +499,11 @@ _release_config (pam_ldap_config_t ** pc
	22	free (c->groupdn);
	23	}
	24
	25	+ if (c->nsrole != NULL)
	26	+ {
	27	+ free (c->nsrole);
	28	+ }
	29	+
	30	if (c->filter != NULL)
	31	{
	32	free (c->filter);
	33	@@ -639,6 +644,7 @@ _alloc_config (pam_ldap_config_t ** pres
	34	result->userattr = NULL;
	35	result->groupattr = NULL;
	36	result->groupdn = NULL;
	37	+ result->nsrole = NULL;
	38	result->getpolicy = 0;
	39	result->checkhostattr = 0;
	40	result->checkserviceattr = 0;
	41	@@ -1043,6 +1049,10 @@ _read_config (const char *configFile, pa
	42	{
	43	CHECKPOINTER (result->groupattr = strdup (v));
	44	}
	45	+ else if (!strcasecmp (k, "pam_nsrole"))
	46	+ {
	47	+ CHECKPOINTER (result->nsrole = strdup (v));
	48	+ }
	49	else if (!strcasecmp (k, "pam_min_uid"))
	50	{
	51	result->min_uid = (uid_t) atol (v);
	52	@@ -4136,6 +4146,23 @@ pam_sm_acct_mgmt (pam_handle_t * pamh, i
	53	rc = success;
	54	}
	55
	56	+ /* check the user's entry's nsRole attribute for the required value */
	57	+ if (rc == success && session->conf->nsrole != NULL)
	58	+ {
	59	+ rc = ldap_compare_s (session->ld,
	60	+ session->info->userdn,
	61	+ "nsRole", session->conf->nsrole);
	62	+ if (rc != LDAP_COMPARE_TRUE)
	63	+ {
	64	+ snprintf (buf, sizeof buf, "You must have the %s role to login.",
65	+ session->conf->nsrole);
66	+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
67	+ return PAM_PERM_DENIED;
68	+ }
69	+ else
70	+ rc = success;
71	+ }
72	+
73	if (rc == success && session->conf->checkserviceattr)
74	{
75	rc = _service_ok (pamh, session);
76	--- pam_ldap-184/pam_ldap.h 2008-11-17 13:39:49.000000000 -0500
77	+++ pam_ldap-184/pam_ldap.h 2008-11-17 13:39:50.000000000 -0500
78	@@ -95,6 +95,8 @@
79	char *groupdn;
80	/* group membership attribute; defaults to uniquemember */
81	char *groupattr;
82	+ /* role name; optional, for access authorization */
83	+ char *nsrole;
84	/* LDAP protocol version */
85	int version;
86	/* search timelimit */